HarborGuard / CVE
Back to search
HIGHCVE-2026-9977Published Modified CNA Chrome

CVE-2026-9977: Insufficient validation of untrusted input in WebShare in Google Chrome on Android prior to 148

Insufficient validation of untrusted input in WebShare in Google Chrome on Android prior to 148.0.7778.216 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)

HarborGuard Analysis

HarborGuard analysis

Synopsis

Insufficient input validation in the WebShare API implementation of Google Chrome for Android (versions prior to 148.0.7778.216) allows a remote attacker who has already compromised the browser renderer process to escape the sandbox via a crafted HTML page. The attack is reachable over the network but requires the victim to visit a malicious page, and the attacker must already control the renderer, adding complexity to the exploit chain. Successful exploitation gives the attacker full confidentiality, integrity, and availability impact outside the browser sandbox. A patched-image rebuild at version 148.0.7778.216 is available on HarborGuard for environments running an affected version of Chrome on Android.

HarborGuard Coverage

Detection

Detection of CVE-2026-9977 is available across every HarborGuard environment, with the CVE matched against customer images within minutes of ingestion from upstream feeds, including custom-built images that bundle a Chrome or Chromium binary for Android. HarborGuard's pipeline scans both registry images and images flowing through CI/CD pipelines, so affected versions are flagged before deployment.

Available
Triage

HarborGuard scores this CVE at 8.3 HIGH using the published CVSS v3.1 vector and weights it against each environment's compliance policy to determine routing priority. Findings are routed to the appropriate team inbox within each customer organization based on image ownership and policy configuration.

Available
Patch

A patched-image rebuild at Chrome 148.0.7778.216 is available on HarborGuard for any image found to include an affected version. For customers who opt into auto-remediation, HarborGuard triggers a rebuild, runs a regression test suite against the new image, and opens a pull request against the affected workloads automatically.

Available

Exploit Conditions

  • Network reachabilityRequired

    The attacker delivers the crafted HTML page over the network, so the target device must be reachable by or able to reach the attacker's server.

  • AuthenticationNot required

    No account or credential is needed; any user browsing to the attacker-controlled page is a viable target.

  • Victim interactionRequired

    The victim must navigate to or be redirected to a crafted HTML page, making social engineering or a malicious ad/link a prerequisite for the attack.

  • Attack complexityDetail

    Attack complexity is rated High because the attacker must have already compromised the renderer process before this vulnerability can be leveraged for sandbox escape, requiring a multi-stage exploit chain.

Blast Radius

  • Reads sensitive data accessible outside the Chrome sandbox on the Android device, including files and app data the compromised renderer would not normally reach.
  • Writes or modifies files and data outside the browser sandbox, enabling persistence mechanisms or tampering with other app data on the device.
  • Crashes or disrupts services and processes outside the browser sandbox, potentially destabilizing the Android system or other applications.
  • Enables full code execution outside the renderer sandbox, giving the attacker a foothold in the broader Android process space.

How HarborGuard Handles This

Available on HarborGuard: images containing Google Chrome for Android at a version below 148.0.7778.216 are flagged automatically as this CVE is ingested from upstream feeds. For customers who opt into auto-remediation, HarborGuard rebuilds the affected image at the patched version, runs a regression test, and opens a pull request against affected workloads; for high-severity issues, the median time from CVE publication to merged patch PR in auto-remediation-enabled environments is around 90 minutes. Where compliance policy requires manual approval, the finding is routed to the designated team inbox with full CVSS context and remediation guidance. Because this vulnerability requires a multi-stage exploit (renderer compromise followed by sandbox escape), teams unable to update immediately should consider network-policy controls that restrict Chrome's ability to reach untrusted origins, and should evaluate whether WebShare API usage is necessary in their deployments as a compensating control until the patched image is promoted.

See how HarborGuard automates this

Metrics

CVSS v3.1
8.3
Severity
HIGH
Fixed in
148.0.7778.216
Affected Products
1

Fix available

148.0.7778.216
Affected packages
  • Google / Chrome
    < 148.0.7778.216 (from 148.0.7778.216)
CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
References